Month December 2014

Month December 2014

BYOD, Privacy and Security

Tags: , , , , , Business, BYOD, Privacy, Security 1 comment

It is very common for employers to allow or require employees to bring their own mobile devices, iPads and laptops into work and use the devices for work (“BYOD”).  A recent study reveals that the numbers are staggering:

• 89% of employees mobile devices connect to corporate networks
• 65% of companies allow personal devices to connect to corporate networks;
• 78% of companies note that 2x as many BYODs connect than did 2 years ago;
• 68% of American small businesses already embrace BYOD.

BYOD is obviously popular with businesses and their employees.  But it creates enormous risks and concerns for businesses and employees that can only be properly handled by an effective BYOD Policy.

Business Risks and Concerns

The primary concern of most employers is security and the unauthorized dissemination of confidential business information to third-parties.  Allowing personal mobile devices increases the risk of unauthorized access, disclosure and destruction of business data, as employees can lose their mobile devices that contain confidential information.  Or an employee can download viruses or malware along with the latest app that can than infect the entire corporate network.

A related concern is an increased risk for potential liability from a data breach, particularly those breaches involving access to personally identifiable financial or health information. For example, doctors regularly lose mobile devices, or have them stolen, that contain patient personal health information.   These data breaches cost companies a significant amount of money and can lead to an unwanted and costly government investigation.

To the extent that nonexempt employees use personal mobile devices for work, the employer may also face exposure under the federal Fair Labor Standards Act or similar state statutes for failure to compensate these employees for overtime.  If nonexempt employees use these devices for work-related purposes outside their normal work hours, the employer may be required to pay them overtime compensations.

Employee Privacy Concerns

The use of personal devices for work-related activities offers employees greater convenience, flexibility and other advantages.  Employees are very attached to their personal mobile devices and a recent study shows that nearly 1/3 of employees would rather lose their wallet than their mobile device.  Using personal mobile devices for work raises some serious concerns among employees as work encroaches more and more on their personal life.

Loss of privacy and control over their electronic information are the two biggest concerns employees typically have with BYOD.  With respect to privacy, employees are concerned that employers will inappropriately access or use their personal information, particularly financial and health information, in ways that will harm them at work.  Employees are also concerned about losing control of their electronic information (e.g. photographs, videos, contacts, etc.) when employers attempt to remove or “wipe” business information from the employees’ device, which can be done remotely.  Employees store a lot of irreplaceable pictures, videos and other personal information on mobile devices and don’t want to lose these valuable memories.

BYOD Policy

To deal with these concerns, employers should develop a comprehensive BYOD policy and program that includes regular training and monitoring.  Below are some of the key issues that should be addressed:

Eligibility

Organizations should make clear who in the organization is allowed to use personal devices, whether on an ad hoc basis for a specific purpose or as a permanent replacement for corporate devices.  This can be viewed as a privilege to be earned, a response to employee demand, a requirement for certain types of roles, or a combination of these things.  For example, attorneys at different law firms are now regularly permitted to use their own mobile devices and iPads, but administrative assistants are not.  This is a function of client and partner demands and the need to be available 24 hours a day, 7 days a week.  Administrative assistants do not want or have the same client demands, so they are not permitted to use their mobile devices to access law firm networks.

Allowed Devices/Operating Systems

Organizations should also make a decision about what operating systems will be supported on their BYOD policies.  Two areas that are a real challenge for BYOD policies are the diversity and the frequency of updates for the operating systems on the various devices.  The various choices include Android from Google; iOS from Apple; Windows Phone and Windows Mobile from Microsoft; Blackberry OS from RIM; Symbian from Nokia; and a few others.  What’s worse, some operating systems have multiple versions and the updates to the devices may or may not be automatic from the carrier company or controlled by the enterprise.

These conditions make it very challenging to standardize just a few configurations that you will allow workers to use and support.  However, it is a best practice to set a minimum operating system version threshold for users to bring in their own devices as a baseline requirement to protect corporate data and apps running on them.  This may eliminate some of the older phones that are still in use, but you need to take minimal steps to ensure the security of your corporate network without draining company resources.

Wiping Data off the Device

When a smart phone is lost or stolen, or when a worker is no longer employed by the company, it may be necessary to forcibly wipe data off the employee-owned device.  The manner that this is done is largely a factor of the mobile device management tools that are used.  Some tools allow a selective wipe so that only corporate data is removed while not affecting the personal data.  Other management tools simply wipe the entire device clean.

Make sure that the BYOD policy clearly explains the data wipe method you will be using and get a signed acknowledgment if the employee chooses to use their own device.  Also consider using a user agreement, which will be discussed below.  To the extent feasible, it is better to selectively wipe corporate data and to levee personal data alone.  This will minimize the future risk of an employee lawsuit while still protecting the organization’s confidential information.

User Agreements

Companies should tread lightly when enforcing policies on personally-owned devices that are used for business.  From a legal standpoint, you should have a user agreement, which is a contract between the company and the end user regarding the use of the employee’s personal mobile device in the business environment.  Best practice is to have this contract presented to the employee regularly and have it affirmed periodically, typically once a year.

Key topics that should be considered for a user agreement include:

The Data Wipe Policy – The user agreement should specifically identify when information will be wiped from the device and what types of data will be wiped.

The Photo Policy – The user agreement should specifically identify what employees are not permitted to snap photos of (e.g. sensitive areas of the work environment; products in development; white boards and sensitive info or drawings).

Definition of Company Information – The user agreement should clearly explain what information is considered company information, how it must be handled, and that the organization ultimately owns all company information.

Web Filtering Requirements – Employees are expected to police their own behavior in terms of what shows up on their screens while connected to the corporate network and at work (e.g. no pornographic photos when the device is used in a business context).

Data Breach Trigger Policy – Employees must promptly report the loss or theft of the device and help the company determine if sensitive data is at risk.  The user agreement should specify the time-frame for reporting a lost or stolen device and the procedures regarding locking and wiping the device.

Maintain Certain Security Measures – The user agreement should also specify what security measures the employee should maintain with the device, such as installing certain software, maintaining updates, requiring antivirus protection, and other security measures.  It should also require a strong password to access the device.

Acceptable Use Policy– Additionally, the user agreement should specify how employees handle company information on their personal device and what can be done with this information.  Typically, these policies prohibit employees from downloading company information onto third-party cloud service document storage sites, such as Dropbox or Google Drive.

Monitoring Policy– The user agreement should also inform the employee about what kind of monitoring will be used by the employer with respect to the device and the BYOD policy.  This may include tracking the device’s location, monitoring internet and other activities, key-stroke logging, phone call monitoring, and other types of monitoring.  This is a very sensitive area for employees, so be sure to consult with an attorney to determine the scope of monitoring that is legal in your jurisdiction, explain the policy clearly to employees, AND obtain the employee’s consent.

eDiscovery –The user agreement should also let employees know how e-discovery requests will be handled, should the need arise.  This will be discussed further below.

Cost Sharing/Reimbursement

A primary reason why employers adopt a BYOD policy is to shift costs to employees.  The BYOD policy should clearly identify what costs will be borne by the employee and what costs will be reimbursed.

Some of the questions to ask and answer in connection with the policy are:

• Are individual users entitled to reimbursement?

• If so, for what services and under what conditions (e.g., voice usage, data usage, Wi-Fi hotspot usage, roaming usage, business vs. personal usage, manager approval, etc.)?

• Are any services not eligible for reimbursement (e.g., SMS/MMS, ringtone downloads, 411 calls, any service not explicitly identified as eligible for reimbursement)?

• Are there any caps on reimbursement (e.g., in the form of fixed monthly stipends or maximum-expense limits, independently of charges incurred)?

• Are individual users ever eligible for full or partial reimbursement of device acquisition or replacement costs?

Different companies answer these questions in different ways and there are numerous acceptable BYOD policies.  Choose the one that’s best for your business.

eDiscovery

When an employer is involved in litigation, it needs to know where company information is located, it’s content, and needs to review it in order to determine whether to ultimately produce it.

Electronically stored information, or ESI, is subject to discovery, which means it can be requested as evidence in a court case.  ESI is a category of discoverable information separate from print documents, and includes both structured and unstructured data such as emails, instant message logs, Word documents, Power point presentations, and other types.

In litigation, eDiscovery is the process of identifying, collecting, preserving, reviewing and producing relevant electronic data or documents.  Determining which ESI is relevant is complicated and expensive due to the vast quantities of electronic information, and the difficulty in obtaining it and reviewing it to determine what information is relevant and to not produce privileged or confidential information.

BYOD and mobile devices present four challenges to eDiscovery:

• The company does not own or physically control the devices;

• There are a wide variety of potential data types to consider;

• The data can potentially reside in multiple locations;

• Safeguarding and retrieving the data can be difficult.

If you have a BYOD policy, or are considering implementing one, consider the following best practices to ensure that it is eDiscovery friendly:

• Mandate that employee devices be configured to save information directly to the company servers.

• Sync data between employee devices and company servers regularly.

• Ensure that your BYOD policy is forthright and outlines the exact process for eDiscovery, including a clear chain of custody.

• Consider purchasing and implementing one of the many applications capable of separating business data and personal data, making it especially easy for employers to locate discoverable data.

By taking these steps, you will minimize the costs associated with eDiscovery in case you are ever involved in litigation.

Termination of Employment Relationship

As part of your BYOD policy, you should outline the process for what happens when the employment relationship is terminated.  In most cases, a company wants to remove its data from an employee’s personal device when he or she leaves.  To accomplish this, the organization may require the employee to submit the device to the IT department, wipe it remotely, or simply tell the employee to delete the data.  Choose what policy and procedures work best for your organization.  Also make sure that employees are disconnected from the corporate network and are no longer able to access it after the employment relationship is ended.

That’s it for this week. Let me know if you have any questions about BYOD or if your BYOD policies contain some interesting provisions. Have a Happy Holiday!

Mobile Apps, Children’s Privacy and COPPA

Tags: , , , , , , Apps, COPPA, Preparation, Privacy 1 comment

It was recently reported that mobile apps are still collecting lots of personal information about children and still may not be complying with the Children’s Online Privacy Protection Act, 15 USC 91 §6501-6506 or the Federal Trade Commission’s (“FTC’s”) Final Amended COPPA Rule (collectively, “COPPA”).  See also FTC, “Complying with COPPA: Frequently Asked Questions”, July 16, 2014.  App developers need to make sure their apps comply with COPPA, as the FTC is actively cracking down and there is an increased risk of a class action lawsuit based on a COPPA violation.

COMPLIANCE WITH COPPA

The primary goal of COPPA is to place parents in control over what information is collected from kids under the age of 13 (“Children”) online, while accounting for the dynamic nature of the Internet.  To comply with COPPA, an app developer should follow these steps:   See FTC, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for your Business

1.  Determine if COPPA Applies to Your App or Website

COPPA only applies to the following:

• Operators of commercial websites or online services that are directed to Children and collect, use, or disclose Children’s’ personal information;

• Operators of general audience websites or online services with actual knowledge that they are collecting, using or disclosing personal information from Children.

• Operators of websites or online services with actual knowledge that they are collecting, using or disclosing personal information directly from users of another website or online service directed to Children.

Several key terms need a little more explanation to appreciate the scope of COPPA:

Website or Online service:  This term is defined broadly by COPPA. Aside from websites, the following are potentially within COPPA’s scope:

o Mobile apps that send or receive information online,

o Internet-enabled gaming platforms,

o Plug-ins,

o Advertising networks,

o Internet-enabled location-based services, and

o Voice-over internet protocol services

Personal Information: The definition of personal information under COPPA is shockingly broad and includes any one of the following categories of information (“Personal Information”):

o First and Last Name;

o A home or physical address including street name of a city or town;

o Online contact information;

o A screen or user name that functions as online contact information;

o A telephone number;

o A social security number;

o A persistent identifier that is used to recognize a user over time and across different websites or online services;

o A photograph, video, or audio file that contains a child’s image or voice;

o Geolocation information sufficient to identify the street name and city or town name; or

o Information concerning the child or child’s parents that the operator collects online and combines with an identifier above.

Directed at Children: The FTC looks at a variety of factors to determine if an app is directed at Children :

o the subject matter of the site or service,

o audio/visual content,

o the use of animated characters,

o child-oriented activities and incentives,

o the age of models,

o the presence of child celebrities,

o ads directed to children, and

o Other reliable evidence about the age of the actual or intended audience.

Collect: Under COPPA, an app collects Personal Information if it does one of the following:

o Requests, prompts, or encourages the submission of information, even if it’s optional;

o Lets Personal Information be made publicly available (such as in a public chat), unless you take reasonable efforts to delete virtually all Personal   Information before postings are made public AND delete all information from your records; or

o Passively tracks a child online.

If your app or website is covered by COPPA , move on to step 2. Congratulations if you think it is not covered! But I suggest you talk with an attorney to confirm that COPPA does not apply your app. You do not want to be wrong here!

2.  Post a COPPA Compliant Privacy Policy

If covered by COPPA, your app must post a post a privacy policy that clearly and comprehensively describes how Personal Information is collected from Children and how it is handled. To complicate matters, the privacy policy must describe your policies AND the practices of any third parties collecting Personal Information on your service, such as plug-ins or ad networks.

To comply with COPPA, your privacy policy should be clear, easy to read, and include the following information:

A List of All Operators Collecting Personal Information:  Your policy should identify each operator that collects or maintains a child’s Personal Information through your app.  Include a name and contact information (address, telephone number, and email address) for each operator.  If more than one operator collects Personal Information, it is acceptable to only provide contact information for one operator, so long as the selected operator will respond to inquiries about your app’s practices with respect to the other operators.  The other operators still need to be identified in your privacy policy.

A Description of the Personal Information Collected and How It’s Used:  Your privacy policy must describe the following:

o Types of Personal Information collected from Children;

o Ways that the Personal Information is collected (direct or indirectly through cookies);

o How Personal Information will be used (i.e. marketing, notifying contest winners, incentives, or allowing children to post information);

o Whether app discloses Personal Information to third parties, such as ad networks, and how the third parties use the information.

Description of Parental Rights:  Your app’s privacy policy must tell parents that:

o Your app won’t require a child to disclose more Personal Information than reasonably necessary to participate in the app’s activity;

o They have the right to review the child’s Personal Information, can direct you to delete it, and refuse to allow any further collection or use of the child’s Personal Information;

o They can agree your app’s collection and use of their child’s Personal Information, but still forbid disclosure to third parties unless that’s part of the service (such as social networking); and

o The procedures that a parent must follow to exercise their rights.

Make sure that your privacy policies accurately describes your app’s practices and that you follow through on all promises made. Nothing will generate an FTC enforcement action quicker than a privacy policy that misrepresents the practices of the app.

3.  Notify Parents Directly Before Collecting Personal Information from Children

COPPA requires that your app provides parents with “direct notice” before collecting Personal Information their child. The notice should be clear, easy to read and should tell parents:

• Your app collected their online contact information for the purpose of getting their consent;

• Your app wants to collect Personal Information from their child;

• The parent’s consent is required for the collection, use, and disclosure of the child’s Personal Information;

• The specific Personal Information your app wants to collect and how it might be disclosed to others;

• A link to your online privacy policy;

• How the parent can give their consent; and

• If the parent does not consent within a reasonable time, you will delete the parent’s online contact information from your records and their child will not be able to use the app.

4.  Get Parent’s Verifiable Consent Before Collecting Information

Your app must also obtain parent’s verifiable consent before collecting Personal Information about the child.  COPPA does not specify how to obtain verifiable consent, but it is critical to use a method that is reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.

Acceptable methods of obtaining verifiable consent include:

• Provide a consent form to be signed by the parent via U.S. mail, fax or electronically;

• Require the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

• Have the parent call a toll-free number staffed by trained personnel, or have the parent connect to trained personnel via video-conference;

• Verify the parent’s identity by checking a form of government-issued identification (such as driver’s license or passport) against databases of such information. Make sure to delete the parent’s identification info after completing the verification;

• Use the “email plus” method if you are only going to use Children’s Personal Information for internal purposes and will not be disclosing to any third party;

• Use a common consent mechanism between multiple app developers who use the same system of obtaining verifiable consent;

• Rely on an app store to gain parental consent on you app’s behalf. Note that entry of parent’s app store account number or password is not sufficient. The account number and password needs to be used with other indicia of reliability to show that it is the parent giving the consent. Also, your app still needs to meet COPPA’s other requirements (such as the direct notice requirement);

• You can also apply to the FTC for pre-approval of a new method.  The FTC had already accepted some proposed new methods of verifiable consent and is regularly evaluating new ones.

There are certain circumstances under COPPA where your app can collect and use a narrow class of Personal Information without obtaining parental consent.  Check out the FTC’s website for a helpful chart of these limited exceptions.

5.  Respect Parents’ Ongoing Rights

Make sure to respect parent’s ongoing rights with respect to their child’s Personal Information.  If a parent asks, you must:

• Give the parent a way to review the Personal Information collected about the child;

• Give the parent a way to retract their consent and refuse the further use or collection of Personal Information about the child; and

• Delete the child’s Personal Information.

Note that you must walk a fine line before disclosing Personal Information about a child.  Take reasonable steps to ensure that you are dealing with a child’s parent and not some stranger. But do not make these steps so onerous that the real parent can’t find out what Personal Information your app is collecting about the child.

6.  Implement Reasonable Safeguards for Children’s’ Personal Information

COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of Children’s Personal Information.  The first step is to limit the Personal Information collected and only collect what is absolutely necessary for your app’s services.  Then take reasonable steps to only release Children’s Personal Information to third parties capable of maintaining its confidentiality, security and integrity.  Obtain contractual assurances that the third parties will live up to those responsibilities.  Finally, only retain the Children’s Personal Information as long as reasonably necessary, and securely dispose of as soon as you no longer have a legitimate reason for retaining it.

7. Investigate Participating in a COPPA Safe Harbor Program

As an app developer, one alternative worth investigating are FTC approved COPPA Safe Harbor Programs.  COPPA Safe Harbor programs are self-regulatory guidelines developed by various industry groups that have been approved by the FTC for complying with COPPA.

You can obtain two benefits by participating in one of these programs.  First, your app will be deemed compliant with COPPA so long as it follows the program’s guidelines.  Second, your app will be subject to the review and disciplinary procedures outlined in the program’s guidelines instead of a formal FTC investigation and enforcement.  Both are worthwhile, so you should consider participating in one of these programs.

ENFORCEMENT OF COPPA

COPPA is usually enforced by the FTC, although some state attorney generals have brought COPPA enforcement actions in the past. New Jersey, in particular, has brought and settled at least two COPPA enforcement actions against app developers.

The FTC has recently warned that mobile apps will be an enforcement priority under COPPA, and has already announced two settlements with mobile app developers:

1. Yelp:  Yelp, the online review website and app, paid $450,000 to settle charges that it violated COPPA by collecting Children’s Personal Information without sufficient parental notice or consent.  Yelp allegedly employed an age-screening mechanism that required a birth-date in order to register for its app, but thousands of Children were allowed to register, without notice or parental consent, after providing birth-dates that showed they were under 13.

2. TinyCo:  TinyCo, the developer of Tiny Pet and other apps, paid $300,000 to settle charges that it violated COPPA by collecting Children’s email addresses without sufficient notice and parental consent.   The email addresses were allegedly collected in exchange for free in-app currency.

In light of the FTC’s warnings, more enforcement actions against app developers are likely and the costs can be significant. In addition to the investigatory costs and the hit to your reputation, violators of COPPA can be penalized up to $16,000 per violation. That’s not chump change!

There is also a heightened risk of a class action lawsuit suit for failure to comply with COPPA.  Usually, COPPA violations are considered unlikely contenders for class action lawsuits because COPPA does not provide a private cause of action.  Without a cause of action, an individual or class cannot allege a COPPA violation as the basis for a complaint a damages.  This calculation may have changed in light of a recent Connecticut Supreme Court case:  Byrne v. Avery Center for Obstetrics and Gynecology, No. 18904, (Conn. Nov. 11, 2014).

In Byrne, the Court found that the Health Insurance and Portability and Accountability Act of 1996 (“HIPAA”) and the regulations of the Department of Health and Human Services (“HHS”) can “inform” the standard of care for a common law negligence action.  In this case, Emily Byrne received medical care from the Avery Center (“Center”), while in a personal relationship with Andro Mendoza. Mendoza filed a paternity suit and the court issued a subpoena to the Center to appear with Byrne’s medical records.  Byrne did not want the Center to release her medical records.  But, the Center mailed a copy of the medical forms to the court.  Byrne claimed that the disclosure of the medical forms was not done in accordance with HIPPA and that she should have been notified of the subpoena.

As a result of the disclosure, Byrne filed suit for breach of contract, negligently releasing her medical file without authorization, negligent misrepresentation of the Center’s privacy policy, and negligent infliction of emotional distress.  After a motion for summary judgment, the trial court dismissed part of Byrne’s complaint and found that Byrne’s common law negligence and infliction of emotional distress claims were preempted by HIPAA, which does not provide a private cause of action.  The Connecticut Supreme Court reversed and concluded that “to the extent it has become the common practice for . . . follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

This decision is significant in several respects.  For app developers, the most important consequence is that it provides a road map for a potential plaintiff about how to sue for a violation of COPPA.  The plaintiff would need to plead a common law negligence claim related to the violation and argue that COPPA and the FTC regulations inform the duty of care applicable to these actions.  Alternatively, the plaintiff could argue that the COPPA violation is an unfair and deceptive trade practice under the state’s consumer protection.

It is still unclear whether these strategies will work or whether these strategies are preempted by COPPA.  I will postpone this discussion for another blog post.  But if app developers continue to ignore COPPA, plaintiffs and their attorneys may start actively pursuing these cases.  There is too much money potentially at stake.  Stay tuned for further developments.

Thanks for reading.

Eight Steps to Reduce the Risk of Identity Theft

Consumer, Identity Theft, Prevention No comments

I spent the last couple of weeks talking about steps a business can take to secure the personal information collected from consumers and how to prepare for the inevitable data breach. Businesses are only part of the risk, however, and consumers should take some steps to reduce their risk of identity theft:

1. Protect Social Security Number (“SSN”)

Your SSN is one of the most critical pieces of personal information that needs to be protected and it is the primary target of criminals.  With it, an identify thief can open fraudulent accounts in your name, charge unlimited amounts to these accounts, and create a false identity in multiple locations. At a minimum, you should take the following steps to protect your SSN:

• Only release your SSN when absolutely necessary such as for tax forms, employment records, financial accounts, and property transactions. If a business requests your SSN, ask why it’s necessary and whether a different identification method can be used.  Ask to see the company’s written policy on SSN’s and find out what the business will do with your SSN and the consequences if you refuse to provide it.  Most businesses are now aware of the sensitivity of this number, and few ask for it any longer.  If necessary, threaten to take you business elsewhere if the business won’t let you use a different form of identification.

• Do not carry your SSN in your wallet, except for situations when it is required, such as the first day on the job or when opening a financial account.

• Memorize your SSN and keep it in a safe place in your home.

• Do not provide you SSN over the phone unless it is to a trusted source.  Try not to say your SSN out loud when in a public place.  If you need to provide it to a merchant or health care provider, try to speak softly and make sure no one is listening.

2. Monitor Account Statements

Regularly monitor the following account statements for unusual activity and unauthorized transactions: bank, credit card, phone, cell phone, loyalty cards, investments, and other financial accounts.  These types of accounts have been targeted by criminals in the past and are at risk for attacks in the future.  Through regular monitoring, you can hopefully identify unusual activity quickly before too much damage is done.  Report any suspicious to the appropriate account provider.

3. Clean out Your Wallet/Purse

Clean out your wallet or purse of all unused credit cards. Cancel these credit cards or put them in a safe place for emergencies.  Take this opportunity to safely dispose of old receipts, bank withdrawal slips, and any other document that might have sensitive personal information.  Proper disposal methods are discussed below at Step 8.

4. Order your Free Annual Credit Report

Federal law gives you the right to one free credit report from each of the three major credit bureaus: Equifax, Experian and TransUnion.  For maximum security, stagger these requests by asking for a free credit report every 4 months from a different credit bureau.  Your free credit report can be ordered in any one of the following ways:

Phone: (877) 322-8228
Internet: www.annualcreditreport.com
Mail: Print out the order form here: http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf.

There are many websites that offer a “free credit report” but these are often an attempt to get you to sign up for some other service.  Unless you need the service, do not waste your time or money.

When reviewing your credit report, look for the tell-tale signs of fraudulent activity: inquiries not generated by you and new credit accounts that you did not open. If you identify suspicious activity then you should follow the steps outlined here: https://www.annualcreditreport.com/protectYourIdentity.action
These steps include placing an initial fraud alert on your credit file, contacting the security or fraud department of each company where the account was opened, file a report with law enforcement officials, and others.

5. Protect your Internet Devices

Any time you connect to the internet through a computer, laptop, or mobile device (“Internet Devices”), you run the risk of downloading a virus, malware, or having your activity monitored by a hacker.  To better protect yourself take these steps on all of your Internet Devices:

Use a Firewall:  A firewall blocks unauthorized access to your Internet Devices while allowing you to access to the Internet.  Make sure that your Internet Devices have a firewall installed and activated.

Use an Antivirus Program: Antivirus programs help you prevent, detect and remove viruses, Trojan horses, and other malware. Install and regularly update anti-virus programs on all Internet Devices.

Use spyware blocking software: Spyware is a program that secretly collects info about you and can make your computer engage in unwanted activities. If not included with your Antivirus program, install and regularly update spyware blocking software on all Internet Devices.

Install Updates: It is important to regularly install updates and patches on all of the programs, apps and operating systems on your Internet Devices. Many updates solve critical security flaws that can be taken advantage of by cyber criminals if not repaired.  If available, set up automatic updates so that you don’t forget.

Use Strong Passwords: Create strong unique passwords to access each of your Internet Devices.  At a minimum your password should be at least 8 characters and include upper and lowercase letters, numbers and non-alphabetic characters (!, #, %, &, $, etc.). See Microsoft Tips for Creating a Strong Password.  Do not use dictionary words or personal information for your passwords, and use a different password for each device and account.  Change your password every 3-4 months.

Also, if your Internet Device support it, you should consider using two-factor authentication.  Two-factor authentication involves using a password + something else to identify you such as a USB stick, fingerprint, mobile phone, or key.  This is much more secure way to secure an Internet Device than regular passwords and is likely the wave of the future.

Encryption: Encryption is the process of scrambling and encoding information in such a way that the information can only be properly viewed and understood with a key (or password).  Several encryption programs are readily available for a reasonable prices.  Also, File level and whole disk encryption is now also available by default on some versions of Microsoft Windows, OS X, and new iPhones and Google Android devices.  Before encrypting anything, make sure you understand the process completely and store the key in a separate safe location.  It would be a shame to encrypt a device or file and not be able to access it in the future!

Avoid Public Wi-Fi Hotspots: Public Wi-Fi hotspots in coffee shops, libraries, trains, and other locations are convenient but usually not secure. Many don’t require a password to use and anything you send can be viewed by others on the network.  Avoid using Public Wi-Fi when accessing any private online account information.

If you need to use Public Wi-Fi to access online accounts, there are protections you can put in place to secure your information.  See OnGuard Online.gov Tips for Using Public Wi-Fi Networks.  The most versatile and convenient way is to use a virtual private network (VPN).  VPNs encrypt traffic between Internet Devices and the internet, even on an insecure network.  VPN accounts can be obtained from a VPN service provider, such as Private Internet Access, TorGuard, and many others.  These services can be used with most types of Internet Devices.

6. Secure your Home Network

Most of us now run Internet Devices and connect to the Internet through wireless home networks and a wireless router.  These routers allow multiple Internet devices and users to access the internet from different parts of your home.  Unless you secure your router, however, you’re vulnerable to other people accessing your network, using your bandwidth, gaining access to all of the Internet Devices on the network, or using your network to commit cyber crimes. Several steps can be taken to protect your home network, although these steps require you accessing your router over the internet.  This is easily done and there are plenty of guides on the internet that will help. See e.g., http://compnetworking.about.com/od/wifihomenetworking/ht/access-routers.htm.  After accessing your wireless router, do the following to make you router more secure:

Change Default Name on Router:  Your wireless router comes with a default SSID name that is assigned by the manufacturer.  The default SSID is usually named “default” or is set as the brand name of the router (e.g. Linksys). The name should be changed to a name that is unique to you and won’t be easily guessed by others.  That way, you will always be sure that you and your guests are always connecting to the correct Wireless network, even if there are multiple networks in the area.  Important Tip: Don’t use your name, home address, or other personal information in the SSID name.  Choose something you can remember, but others will not connect to you.

Change Default Username and Password:  Your wireless router also comes with a default username and password (often admin/password).  These defaults are not secure!  There is a publicly available database of default usernames and passwords for every wireless router manufacturer that can be accessed by anyone, including criminals. Follow the guidelines from No. 5 in order to create a more secure password for your router.  Make sure to memorize this password and put it in a safe place.  Otherwise, you will be locked out of your router, which is never a good thing!

Upgrade Router’s Firmware:  You should regularly check the router manufacturers’ website to make sure the router is running the latest firmware.  Like every other piece of software and hardware, these usually need to be updated.  Upgrade and update as needed.

Enable Network Encryption:  To prevent unwanted computers from using your internet connection, encrypt your wireless signals.  There are several encryption methods for wireless settings such as WEP, WPA, and WPA-2.  If you don’t see WPA-2 as an encryption option for your router, upgrade the firmware or buy a new wireless router as your current one is too old to support an upgrade to WPA-2.

Follow the guidelines from No.5 in order to create a secure password for encrypting you network.  Do not use the same password as your router password.  You want different and unique passwords for each purpose

Filter Networking Access by MAC Addresses: Media Access Control addresses (“MAC Addresses) are unique ID’s assigned to every Internet Device.  For an added layer of protection, you can add the MAC addresses of your Internet Devices to your router settings so that only those devices can access your network.  This is a solid way to increase security, but not foolproof. Somebody can still sniff out your Wi-Fi traffic and then spoof the MAC addresses of their device to match one on your network.  Filtering by MAC addresses can also be a hassle when guests come over and want to use your network.  To let them, you have to log into your router and add their MAC address or temporarily turn off MAC filtering. So I leave it up to you whether you think this extra step is necessary.

7. Watch out for phishing scams

Phishing scams are an attempt to acquire your personal information by sending an email that purports to be from a trusted source.  For example, you might receive an email that appears to come from your bank that says “We suspect an unauthorized transaction on your account.  To ensure that your account is not compromised, please click the link below to confirm your identity.”  If you click on the link, you will either download a virus/malware that captures your passwords or be taken to a spoofed website that resembles your banks website and gets you to divulge your private information.

To protect yourself from phishing scams, follow these suggestions:

• Be suspicious of any email or communication (including text messages, social media posts, phone calls, ads) with urgent requests for personal financial information.

• Avoid clicking on links. Instead go to the website by typing the web address directly into your browser or by searching for it in a search engine. When in doubt, independently verify the alleged problem with the trusted source by calling them at a phone number you know is accurate.

• Don’t send personal information such as passwords, account info, financial info, medical info or other sensitive information by email. Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you can see that the website is secure.

• Use a secure website (indicated by a https:// and a security “lock” icon) when submitting credit card or other sensitive info online. Never use unsecured Wi-Fi for banking, shopping or entering personal information, even if the website is secure.

If you suspect that you have received a phishing e-mail, forward the email to spam@uce.gov and to the company, bank or organization named in the email. You can also report it to reportphishing@anti-phishing.org.  This Anti-Phishing working Group is a group of internet service providers, security vendors, financial institutions, and law enforcement that uses these reports to fight phishing.

8.  Safe Disposal

This step is often overlooked, but is critical.  When you decide to get rid of old computers, mobile devices, or papers that contain personal information, make sure that the personal information is permanently destroyed.  Crooks will dumpster dive or buy used computers to look for sensitive personal information.

There are different methods for permanently destroying personal information, depending on where the information was stored:

Papers: Papers should be shredded or incinerated. When shredding, use a cross-cut shredder rather than a strip-cut shredder.  Pieces from a strip-cut shredder can still potentially be put back together, whereas it’s nearly impossible to do so from a cross-cut shredder.

Computers/Laptops: Before disposing of a computer or laptop, you need to get rid of all the personal information that is stored on the hard-drive. Deleting is not sufficient and you will need specialized software to wipe the hard drive clean.  The other alternative is to physically destroy the hard drive.

After wiping or destroying the hard drive, take the device to one of the electronics recycling centers identified on the Massachusetts Office of Energy and Environmental Affairs website.  Many of these centers are national and not just restricted to Massachusetts.

Mobile Devices: Mobile devices store a lot of personal information like addresses, phone numbers, passwords, etc. and you want to make sure that this is done properly.  Review your owner’s manual owners or check the website of your mobile provider for detailed information about what you need to do to wipe these devices clean.  You can also check out these helpful tips from the FTC about how to dispose of your mobile device. After the device is wiped clean, dispose of the mobile device in the same fashion as with computers.

The Cloud: Unfortunately, there is no way for you to control how your information is destroyed from the hard drives of your cloud provider. Contact your cloud provider and ask them about their data destruction policies.

Portable Storage Devices: Flash drives should be wiped clean or destroyed in the same way as computers.  CDs and DVDs can be physically destroyed by breaking into many pieces.  If you still have floppy disks or tapes, cut into smaller pieces.

That’s it for this week.  Hopefully you find these steps useful for protecting yourself from identity theft. Thanks for reading.  Please let me know if you have any questions or want to talk about steps that you have taken to protect yourself from identity theft.